Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

yet another nat question

Hey All,

I have been going through the posts regarding NAT and I think I am more confused. Here is what I have. I have a 515E 3FE ports. 2 networks on the inside interface routed via VLANs through a 4006. I need to translate the internal network 10.1.0.0/16, and not the other network which is our public stuff.

I am confused as to what Nat I need, PAT??? and Global statements. I do need to set up some acl's to specific host. For example. Our Mail Server has a public IP but I want it behind the firewall, I want all smtp to come only to that server and outbounds smtp traffic from our server to any

I think I have the acl's down but I don't have the slightest idea about global statements and such. I realize I am a bit vague, but I don't know where to begin. (how bout contracting it out....)

Thanks to all

Matt

3 REPLIES
New Member

Re: yet another nat question

HI.

> but I don't know where to begin

The PDM wizard will guide you with the initial config.

Then use PDM/CLI for the rest of the configuration.

Here are some links to help you out.

Using nat, global, static, conduit, and access-list Commands and Port Redirection on PIX

(Note that not all the sample in the following page apply to your scenario - these are just samples to show you what can be done, but not recommendations on what to do):

http://www.cisco.com/warp/public/707/28.html

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/

http://www.cisco.com/go/pix

http://teachers.sivan.co.il/yizhar/files/pixlinks.htm

One of the initial stages should be using syslog messages, as these are very helpful in troubleshooting.

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/63syslog/index.htm

Start logging at level 4 (warnings) .

Bye

Yizhar

New Member

Re: yet another nat question

Thanks Yizhar,

I think I found some samples of Nat and Pat. My issue before I can complete that is with routing.

From within the Pix I can ping the router connected to the internet as well has hosts out on the internet. I can ping Hosts on the private network, but I can't get traffic to pass through the pix and communitcate with the 2600 connected to the internet. Below is hopefully a picturial of what I have. My real public class c has been replaced with 192.168.0.0/24

INTERNET

I

2601 router

w/ 192.168.0.254 as ip address

I

w/ 192.168.0.252

PIX 515W

w/ 10.1.25.1

I

Vlan1 10.1.254.254

Vlan2 192.168.0.160

Catalyst 4006

I

Rest of network

i think the route for the 4006 should be

ip route 0.0.0.0 0.0.0.0 10.1.25.1

Is that correct? Also, there are static commands in the PIX that are

192.168.0.0 255.255.255.0 192.168.0.252 connect static, and

10.1.0.0 255.255.0.0 10.1.25.1 connect static.

when ever I try to make a static route for 10.1.0.0 network, it says that it alreay exists. I want to make one to 10.1.254.254. Do I route the ip address of the private interface of pix?

Hope you can help

Matt

New Member

Re: yet another nat question

here is what my config looks, my acl's and my routes:

my real class c has been replaced with 192.168.0.0/24 for this.

any blunders on my part?

XXXXXXXXXXXXX(config)# sh config

: Saved

:

PIX Version 6.1(4)

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security50

enable password XXXXXXXXXXXXXXXXX encrypted

passwd XXXXXXXXXXXXXXXX encrypted

hostname XXXXXXXXXXXXXXXXXXX

domain-name XXXXXXXXXXXXXXXXX

fixup protocol ftp 21

fixup protocol http 80

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol sip 5060

fixup protocol skinny 2000

names

pager lines 24

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 192.168.0.252 255.255.255.0

ip address inside 10.1.25.1 255.255.0.0

ip address dmz 127.0.0.1 255.255.255.255

ip audit info action alarm

ip audit attack action alarm

pdm location 10.1.20.2 255.255.255.255 inside

pdm location 10.1.20.1 255.255.255.255 inside

pdm history enable

arp timeout 14400

global (outside) 1 192.168.0.251 netmask 255.255.255.0

nat (inside) 1 10.1.0.0 255.255.0.0 0 0

route outside 0.0.0.0 0.0.0.0 192.168.0.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 si

p 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

http server enable

http 10.1.20.2 255.255.255.255 inside

http 10.1.20.1 255.255.255.255 inside

snmp-server location XXXXXXXXXXXXX

snmp-server contact XXXXXXXXXXXXXXX

snmp-server community XXXXXXXXXX

no snmp-server enable traps

floodguard enable

sysopt noproxyarp inside

no sysopt route dnat

telnet 10.1.20.1 255.255.255.255 inside

telnet 10.1.20.2 255.255.255.255 inside

telnet timeout 5

ssh timeout 5

terminal width 80

Cryptochecksum:527c5f8d5501ab9142f2a44f6c8d6035

XXXXXXXXXXXX(config)# sh access-l

access-list inside_access_in permit icmp any any (hitcnt=0)

XXXXXXXXXXXX(config)# sh route

outside 0.0.0.0 0.0.0.0 192.168.0.254 1 OTHER static

inside 10.1.0.0 255.255.0.0 10.1.25.1 1 CONNECT static

dmz 127.0.0.1 255.255.255.255 127.0.0.1 1 CONNECT static

outside 192.168.0.0 255.255.255.0 192.168.0.252 1 CONNECT static

104
Views
0
Helpful
3
Replies
CreatePlease to create content